Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Page MenuHomePhabricator
Create Task
Maniphest T272297

User script on user subpage doesn't work after user rename
Open, In Progress, MediumPublic
Actions

Assigned To
None
Authored By
1997kB
Jan 18 2021, 1:05 PM
Tags
Referenced Files
None
Subscribers
1997kB
Aklapper
aliu
CptViraj
DannyS712
Excellence
Facenapalm
View All 21 Subscribers
Tokens
"Like" token, awarded by Pppery."The World Burns" token, awarded by Wellverywell."The World Burns" token, awarded by MBH."The World Burns" token, awarded by Jack_who_built_the_house.

Description

When a user is renamed, their user scripts too, but on the old title a redirect is set to the new (Eg: Old title and New title). And recently a user found that the script doesn't work for anyone who had installed the script before rename.

As a lot of users get renamed every day, it is not possible to fix these plus they require an interface admin.

Details

SubjectRepoBranchLines +/-
Allow loading JS/CSS pages orphaned due to user renamesmediawiki/coremaster+38 -15
Customize query in gerrit

Related Objects

Event Timeline

1997kB created this task.Jan 18 2021, 1:05 PM
Restricted Application added a project: MediaWiki-extensions-CentralAuth. · View Herald TranscriptJan 18 2021, 1:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
1997kB updated the task description. (Show Details)Jan 18 2021, 1:07 PM
1997kB updated the task description. (Show Details)
taavi subscribed.Jan 18 2021, 1:39 PM

Can't reproduce, the redirect works fine with my Firefox 78.6.1 ESR on Debian buster. Which browser are you using?

1997kB updated the task description. (Show Details)EditedJan 18 2021, 1:41 PM

I am using Chrome Version 87.0.4280.141. Tried firefox 84.0.2 and I can reproduce it.

taavi added projects: JavaScript, Security-Team.Jan 18 2021, 1:51 PM

{F34006552}

Ah, that explains it (and why I couldn't reproduce by just copying and pasting the code to my browsers console). Tagging security for awareness.

taavi moved this task from Backlog to GlobalRename / Vanishing on the MediaWiki-extensions-CentralAuth board.Jan 18 2021, 1:54 PM
CptViraj subscribed.Jan 18 2021, 2:16 PM
Aklapper renamed this task from User scipt doesn't work after rename to User script on user subpage doesn't work after user rename.Jan 18 2021, 4:24 PM
Aklapper added a comment.Jan 18 2021, 4:30 PM

I think URL breakage is intended, see T207603: CVE-2019-12471: Loading JS from user space where the username is not a registered account is dangerous and should be banned.

Any proposals what else to do? "Block" the previous username forever?

1997kB added a comment.EditedJan 18 2021, 4:37 PM

Currently old username is added to antispoof so only an account creator or admin can register them, but if that's not enough, I support it blocking forever (only when js pages are involved and there's a redirect) instead of breaking all these scripts.

taavi added a project: MediaWiki-User-rename.Jan 18 2021, 4:41 PM
DannyS712 subscribed.Jan 19 2021, 2:38 AM

Security tasks {T256558} and {T183212} may be relevant

Reedy added a project: MediaWiki-General.Jan 25 2021, 4:20 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.Jan 25 2021, 4:23 PM
sbassett added a project: SecTeam-Processed.Feb 1 2021, 5:39 PM
sbassett edited projects, added Vuln-DoS; removed Security-Team.Oct 13 2021, 7:28 PM
Zabe subscribed.Dec 20 2021, 8:37 PM
MdsShakil subscribed.Jun 10 2022, 8:59 AM
Titore subscribed.Dec 25 2022, 12:40 AM
Soon2849 removed projects: Vuln-DoS, SecTeam-Processed, MediaWiki-General, MediaWiki-User-rename, JavaScript, MediaWiki-extensions-CentralAuth, GlobalRename.Dec 26 2022, 7:35 AM
Soon2849 set the point value for this task to 9999999.
Soon2849 removed subscribers: Titore, MdsShakil, Zabe and 5 others.
Yahya removed the point value for this task.Dec 26 2022, 7:43 AM
Yahya added subscribers: MdsShakil, Titore, Zabe and 5 others.
Yahya added projects: Vuln-DoS, SecTeam-Processed, MediaWiki-General, MediaWiki-User-rename, JavaScript, MediaWiki-extensions-CentralAuth, GlobalRename.Dec 26 2022, 7:46 AM
Tgr subscribed.Oct 2 2023, 5:03 AM

We could probably allow loading orphaned javascript pages as long as they are redirects, those are already protected against editing.

Tgr mentioned this in T36958: User-level gadgets (aka "Gadgets 3.0").Oct 2 2023, 5:05 AM
MBH subscribed.Dec 31 2023, 10:21 AM
Jack_who_built_the_house awarded a token.Dec 31 2023, 10:21 AM
Jack_who_built_the_house subscribed.
MBH awarded a token.Dec 31 2023, 10:23 AM
Excellence subscribed.Dec 31 2023, 10:27 AM
IKhitron subscribed.Dec 31 2023, 10:37 AM
MaterialWorks subscribed.Dec 31 2023, 11:20 AM
Jack_who_built_the_house added a comment.Dec 31 2023, 11:26 AM

So, if a Toolforge account maintaining a script is adopted, the script is moved, BAM – all script users no longer can load it, until an interface-admin runs a bot task to replace the user name in the scripts loading it. (This is what just happened in ruwiki.)

gerritbot added a comment.Dec 31 2023, 12:17 PM

Change 986666 had a related patch set uploaded (by SD0001; author: SD0001):

[mediawiki/core@master] Allow loading JS/CSS pages orphaned due to user renames

https://gerrit.wikimedia.org/r/986666

gerritbot added a project: Patch-For-Review.Dec 31 2023, 12:17 PM
SD0001 subscribed.Dec 31 2023, 12:19 PM
In T272297#9214199, @Tgr wrote:

We could probably allow loading orphaned javascript pages as long as they are redirects, those are already protected against editing.

Sounds like a good idea. Filed a patch to do this. ^

Novem_Linguae subscribed.Dec 31 2023, 1:04 PM
Wellverywell awarded a token.Dec 31 2023, 6:03 PM
Pppery awarded a token.Mar 28 2024, 8:03 PM
Facenapalm subscribed.Apr 9 2024, 12:45 PM
stjn edited projects, added Security-Team; removed SecTeam-Processed.Apr 9 2024, 12:48 PM
stjn subscribed.

This continuously causes issues with user scripts after any rename, I am asking someone from Security-Team to take time to review the patch provided.

sbassett moved this task from Watching to Incoming on the Security-Team board.Apr 12 2024, 1:19 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.Apr 15 2024, 4:25 PM
sbassett edited projects, added SecTeam-Processed; removed GlobalRename.
sbassett added subscribers: mmartorana, sbassett.
In T272297#9700700, @stjn wrote:

This continuously causes issues with user scripts after any rename, I am asking someone from Security-Team to take time to review the patch provided.

@mmartorana will have a look. As long as there aren't any issues with username usurpation, etc, the patch is probably fine.

mmartorana changed the task status from Open to In Progress.Apr 23 2024, 2:30 PM
mmartorana triaged this task as Medium priority.
mmartorana added a comment.Apr 29 2024, 4:28 PM

Hey @stjn - I voted +1 on the gerrit change, as the proposed change appears to be secure in my opinion.

Novem_Linguae added a comment.Aug 12 2024, 3:16 AM

This came up today at https://en.wikipedia.org/wiki/User_talk:Anne_drew/SetupAutoArchive#Page_move. It's a bit unintuitive for redirects generated by an official MediaWiki extension to not work. Hopefully the patch in this ticket can continue moving forward.

WENDERSON100 removed an attached file: Restricted File. (Show Details)Aug 25 2024, 6:02 AM
aliu subscribed.Oct 29 2024, 4:36 PM

@mmartorana it looks like someone needs to re-vote on code review now that CI is passing

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits